Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Jan 2004 01:32:14 -0500
From:      freebsd@usww.com
To:        freebsd-ipfw@freebsd.org
Subject:   4.9 Release ipfw2 - OUCH using limit - reboots
Message-ID:  <400390EE.385042D2@usww.com>
References:  <200401121901.i0CJ1Wfd025289@freefall.freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Has anyone seen a problem using 4.9 release with IPFW2 using limit
causing crashes/reboots and 'OUCH! cannot remove rule, count 65535'
in the logfile? Or, does anyone see a problem with my logic.

Any help would be appreciated,
Ben


sysctl config settings:
sysctl net.link.ether.bridge_cfg=xl0:0,xl1:0
sysctl net.link.ether.bridge_ipfw=1
sysctl net.link.ether.bridge=1

---INTERNAL COMPUTERS---xl1--Gateway--xl0---WWW---

# xl0 goes to the WWW from the gateway
# xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
#         inet XX.XX.XX.XX netmask 0xffffff00 broadcast XX.XX.XX.255
#         ether 00:60:97:XX:XX:XX
#         media: Ethernet autoselect (10baseT/UTP)  status: active  

# xl1 goes to internal computers from the gateway
# xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
#         ether 00:a0:24:XX:XX:XX
#         media: Ethernet autoselect (100baseTX <full-duplex>)  status: active

The following 3 type lines have been working fine for some time. I have 9 pipes 
for 9 machines.
The first two simple counts the packets/bytes to and from the ethernet card
The third manages outgoing bandwidth from one of the several ip's.

                               Dest               Source
ipfw -q add 100 count mac YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX
ipfw -q add 100 count mac XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY
ipfw -q add 155 pipe 3 tcp from 216.XX.XX.6 20,21,25,80,110 to any;ipfw pipe 3 config bw 512Kbit/s

sample use of limit seeming to cause the problem:
ipfw -q add 00182 allow log logamount 1000 tcp from any to 216.XX.XX.6 setup limit src-addr 3 in via xl1

Adding the above limit works fine until a large amount of traffic occurs
then the gateway reboots

If you try to ipfw delete 182 the following is put in /var/log/messages 

Jan  9 18:48:20 router7206 /kernel: Mounting root from ufs:/dev/ad0s1a
Jan  9 18:48:20 router7206 /kernel: WARNING: / was not properly dismounted
Jan  9 18:48:24 router7206 /kernel: xl0: promiscuous mode enabled
Jan  9 18:48:24 router7206 /kernel: xl1: promiscuous mode enabled
Jan  9 18:48:45 router7206 su: ben to root on /dev/ttyp0
## The following error was put in the log when 'ipfw delete 182' was executed.
Jan  9 18:48:46 router7206 /kernel: OUCH! cannot remove rule, count 65535
Jan  9 18:48:46 router7206 last message repeated 2 times
Jan  9 18:48:49 router7206 /kernel: bad block -65536, ino 84588
Jan  9 18:48:49 router7206 /kernel: pid 6 (syncer), uid 0 on /var: bad block
Jan  9 18:48:49 router7206 /kernel: handle_workitem_freeblocks: block count


Jan  9 18:50:58 router7206 /kernel: Mounting root from ufs:/dev/ad0s1a
Jan  9 18:50:58 router7206 /kernel: WARNING: / was not properly dismounted
Jan  9 18:51:03 router7206 /kernel: xl0: promiscuous mode enabled
Jan  9 18:51:03 router7206 /kernel: xl1: promiscuous mode enabled
Jan  9 18:51:27 router7206 /kernel: bad block -65536, ino 21135
Jan  9 18:51:27 router7206 /kernel: pid 6 (syncer), uid 0 on /var: bad block
Jan  9 18:51:27 router7206 /kernel: handle_workitem_freeblocks: block count
Jan  9 18:51:27 router7206 /kernel: bad block -65536, ino 21131
Jan  9 18:51:27 router7206 /kernel: pid 6 (syncer), uid 0 on /var: bad block
Jan  9 18:51:48 router7206 su: ben to root on /dev/ttyp0
## The following error was put in the log when 'ipfw delete 182' was executed.
Jan  9 18:52:54 router7206 /kernel: OUCH! cannot remove rule, count 65535



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?400390EE.385042D2>